mturk 2005/06/01 05:06:55 Modified: jni/java/org/apache/tomcat/jni SSL.java SSLContext.java jni/native/src sslcontext.c Log: Add context options settings. Revision Changes Path 1.6 +50 -1 jakarta-tomcat-connectors/jni/java/org/apache/tomcat/jni/SSL.java Index: SSL.java =================================================================== RCS file: /home/cvs/jakarta-tomcat-connectors/jni/java/org/apache/tomcat/jni/SSL.java,v retrieving revision 1.5 retrieving revision 1.6 diff -u -r1.5 -r1.6 --- SSL.java 1 Jun 2005 06:38:09 -0000 1.5 +++ SSL.java 1 Jun 2005 12:06:55 -0000 1.6 @@ -88,6 +88,55 @@ public static final int SSL_VERIFY_CLIENT_ONCE = 4; public static final int SSL_VERIFY_PEER_STRICT = (SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT); + public static final int SSL_OP_MICROSOFT_SESS_ID_BUG = 0x00000001; + public static final int SSL_OP_NETSCAPE_CHALLENGE_BUG = 0x00000002; + public static final int SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG = 0x00000008; + public static final int SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG = 0x00000010; + public static final int SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER = 0x00000020; + public static final int SSL_OP_MSIE_SSLV2_RSA_PADDING = 0x00000040; + public static final int SSL_OP_SSLEAY_080_CLIENT_DH_BUG = 0x00000080; + public static final int SSL_OP_TLS_D5_BUG = 0x00000100; + public static final int SSL_OP_TLS_BLOCK_PADDING_BUG = 0x00000200; + + /* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added + * in OpenSSL 0.9.6d. Usually (depending on the application protocol) + * the workaround is not needed. Unfortunately some broken SSL/TLS + * implementations cannot handle it at all, which is why we include + * it in SSL_OP_ALL. */ + public static final int SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS = 0x00000800; + + /* SSL_OP_ALL: various bug workarounds that should be rather harmless. + * This used to be 0x000FFFFFL before 0.9.7. */ + public static final int SSL_OP_ALL = 0x00000FFF; + + /* As server, disallow session resumption on renegotiation */ + public static final int SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION = 0x00010000; + /* If set, always create a new key when using tmp_dh parameters */ + public static final int SSL_OP_SINGLE_DH_USE = 0x00100000; + /* Set to always use the tmp_rsa key when doing RSA operations, + * even when this violates protocol specs */ + public static final int SSL_OP_EPHEMERAL_RSA = 0x00200000; + /* Set on servers to choose the cipher according to the server's + * preferences */ + public static final int SSL_OP_CIPHER_SERVER_PREFERENCE = 0x00400000; + /* If set, a server will allow a client to issue a SSLv3.0 version number + * as latest version supported in the premaster secret, even when TLSv1.0 + * (version 3.1) was announced in the client hello. Normally this is + * forbidden to prevent version rollback attacks. */ + public static final int SSL_OP_TLS_ROLLBACK_BUG = 0x00800000; + + public static final int SSL_OP_NO_SSLv2 = 0x01000000; + public static final int SSL_OP_NO_SSLv3 = 0x02000000; + public static final int SSL_OP_NO_TLSv1 = 0x04000000; + + /* The next flag deliberately changes the ciphertest, this is a check + * for the PKCS#1 attack */ + public static final int SSL_OP_PKCS1_CHECK_1 = 0x08000000; + public static final int SSL_OP_PKCS1_CHECK_2 = 0x10000000; + public static final int SSL_OP_NETSCAPE_CA_DN_BUG = 0x20000000; + public static final int SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG = 0x40000000; + + /* Return OpenSSL version number */ public static native int version(); 1.6 +13 -6 jakarta-tomcat-connectors/jni/java/org/apache/tomcat/jni/SSLContext.java Index: SSLContext.java =================================================================== RCS file: /home/cvs/jakarta-tomcat-connectors/jni/java/org/apache/tomcat/jni/SSLContext.java,v retrieving revision 1.5 retrieving revision 1.6 diff -u -r1.5 -r1.6 --- SSLContext.java 1 Jun 2005 11:44:36 -0000 1.5 +++ SSLContext.java 1 Jun 2005 12:06:55 -0000 1.6 @@ -61,14 +61,14 @@ * @return APR Status code. */ public static native int free(long ctx); - + /** * Set Virtual host id. Usually host:port combination. * @param ctx Context to use. * @param id String that uniquely identifies this context. */ - public static native void setVhostId(long ctx, String id); - + public static native void setVhostId(long ctx, String id); + /** * Asssociate BIOCallback for input or output data capture. * <br /> @@ -81,13 +81,20 @@ * [DEBUG] -- Debugging messaged * </PRE> * Callback can use that word to determine application logging level - * by intercepting <b>write</b> call. + * by intercepting <b>write</b> call. * If the <b>bio</b> is set to 0 no error messages will be displayed. * Default is to use the stderr output stream. * @param ctx Server or Client context to use. * @param bio BIO handle to use, created with SSL.newBIO * @param dir BIO direction (1 for input 0 for output). */ - public static native void setBIO(long ctx, long bio, int dir); + public static native void setBIO(long ctx, long bio, int dir); + /** + * Set OpenSSL Option. + * @param ctx Server or Client context to use. + * @param options See SSL.SSL_OP_* for option flags. + * @return true on success, false in case of error + */ + public static native void setOptions(long ctx, int options) } 1.10 +11 -1 jakarta-tomcat-connectors/jni/native/src/sslcontext.c Index: sslcontext.c =================================================================== RCS file: /home/cvs/jakarta-tomcat-connectors/jni/native/src/sslcontext.c,v retrieving revision 1.9 retrieving revision 1.10 diff -u -r1.9 -r1.10 --- sslcontext.c 1 Jun 2005 11:44:37 -0000 1.9 +++ sslcontext.c 1 Jun 2005 12:06:55 -0000 1.10 @@ -259,6 +259,16 @@ SSL_BIO_doref(bio_handle); } +TCN_IMPLEMENT_CALL(void, SSLContext, setOption)(TCN_STDARGS, jlong ctx, + jint opt) +{ + tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *); + + UNREFERENCED_STDARGS; + TCN_ASSERT(ctx != 0); + SSL_CTX_set_options(c, opt); +} + #else /* OpenSSL is not supported * If someday we make OpenSSL optional
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]